Creating a User with Access to a Single Command

Creating a User with Access to a Single Command

Ohad Levy ohadlevy at gmail.com
Tue Apr 5 22:37:12 IDT 2011 

On Mon, Apr 4, 2011 at 12:05 PM, Ariel Biener <ariel at post.tau.ac.il> wrote:

>
> That's not what you want. Please read about "restricted shell".
>
> A working example:
>
> /etc/passwd:
> ariel:x:uid:gid::/home/ariel:/bin/rbash
>
> ls -l /bin/rbash
> lrwxrwxrwx  1 root root 4 Apr 10  2006 /bin/rbash -> bash
>
> drwx-----t  4 ariel mygroup 4096 Apr  1 22:50 /home/ariel
>
> ls -al ~ariel
> -r-xr-xr-x    1 root  root   688 Apr  7  2010 .profile
> -rw-r--r--    1 root  root     0 Apr  7  2010 .inputrc
> lrwxrwxrwx    1 root  root     8 Apr  7  2010 .bashrc -> .profile
> lrwxrwxrwx    1 root  root     8 Apr  7  2010 .bash_profile -> .profile
> -rw-r--r--    1 root  root     0 Apr  7  2010 .bash_logout
> lrwxrwxrwx    1 root  root     8 Apr  7  2010 .bash_login -> .profile
> drwx------    2 ariel mygroup 4096 Apr 23  2010 .ssh
> -rw-------    1 ariel mygroup 660 Apr  1 22:50 .Xauthority
>
> cat .profile
> #! /bin/rbash
>
> declare -r PS1='(myhost)>'
>
> unset BASH_VERSION
> unset HISTFILE
> unset HISTFILESIZE
> unset HOSTTYPE
> unset MACHTYPE
> unset OSTYPE
> unset _INIT_PREV_LEVEL
> unset _INIT_RUN_LEVEL
> unset _INIT_RUN_NPREV
> unset _INIT_UTS_ISA
> unset _INIT_UTS_MACHINE
> unset _INIT_UTS_NODENAME
> unset _INIT_UTS_PLATFORM
> unset _INIT_UTS_RELEASE
> unset _INIT_UTS_SYSNAME
> unset _INIT_UTS_VERSION
>
> unset PATH
> unset MAIL
> unset MAILCHECK
> unset HISTFILESIZE
> unset HISTSIZE
> unset HZ
> unset PS2
> unset PS4
>
> declare -rx PATH=/usr/local/restricted
> declare -rx HOSTNAME=myhost.mydomain
> declare -rx TZ=Israel
>
> echo "
> Welcome to gate.
>
> The following commands can be used: telnet, ssh.
> "
>
> declare -rx HOME=~
> =========================
>
> ls -l /usr/local/restricted
> lrwxrwxrwx  1 root root 12 Apr 10  2006 ssh -> /usr/bin/ssh
> lrwxrwxrwx  1 root root 24 Mar 13  2006 telnet -> /usr/kerberos/bin/telnet
>
>
maybe I'm missing something.. but what would if the user simply type
/usr/bin/something else?

Ohad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110405/a76edde3/attachment.html>

More information about the Linux-il mailing list